Re: ssh/sshd challenge-response seems to have stopped working in -current

Tue, 27 Feb 2007 16:24:55 -0800 

On Wed, Feb 28, 2007 at 11:00:59AM +1100, Darren Tucker wrote:
> On Tue, Feb 27, 2007 at 05:38:37PM -0500, Josh Grosse wrote:
> > After building -current on Feb 25, I noticed when I attempted to use S/Key
> > remotely, that it was not a permitted authentication style.  (I use S/Key 
> > when publc key authentication is not available, so it may have nothing to 
> > do 
> > with recent changes to how sshd_config Match works, and may be something 
> > else
> > entirely, I have not used S/Key in a few weeks.)
> 
> I had a quick look at it and it appears to be due to the Match changes
> interacting with this code in auth2.c:do_authentication2():
> 
>         /* challenge-response is implemented via keyboard interactive */
>         if (options.challenge_response_authentication)
>                 options.kbd_interactive_authentication = 1;
> 
> It works if you set "KbdInteractiveAuthentication yes" in sshd_config
> (and I suggest this as a workaround) rather than relying on
> ChallengeResponseAuthentication.
> 
> I'll do a patch later today.

This seems to be the simplest way to do it.

Index: auth2.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/auth2.c,v
retrieving revision 1.113
diff -u -p -r1.113 auth2.c
--- auth2.c     3 Aug 2006 03:34:41 -0000       1.113
+++ auth2.c     28 Feb 2007 00:05:10 -0000
@@ -92,10 +92,6 @@ int user_key_allowed(struct passwd *, Ke
 void
 do_authentication2(Authctxt *authctxt)
 {
-       /* challenge-response is implemented via keyboard interactive */
-       if (options.challenge_response_authentication)
-               options.kbd_interactive_authentication = 1;
-
        dispatch_init(&dispatch_protocol_error);
        dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);
        dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt);
Index: servconf.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/servconf.c,v
retrieving revision 1.169
diff -u -p -r1.169 servconf.c
--- servconf.c  22 Feb 2007 12:58:40 -0000      1.169
+++ servconf.c  28 Feb 2007 00:05:10 -0000
@@ -1345,4 +1345,8 @@ parse_server_config(ServerOptions *optio
        if (bad_options > 0)
                fatal("%s: terminating, %d bad configuration options",
                    filename, bad_options);
+
+       /* challenge-response is implemented via keyboard interactive */
+       if (options->challenge_response_authentication)
+               options->kbd_interactive_authentication = 1;
 }

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Reply via email to